mirror of
https://github.com/ansible-lockdown/RHEL9-CIS.git
synced 2025-12-24 22:23:06 +00:00
328 lines
9 KiB
YAML
328 lines
9 KiB
YAML
---
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.1 | PATCH | Ensure changes to system administration scope (sudoers) is collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_1
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.1
|
|
- NIST800-53R5_AU-3
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.2 | PATCH | Ensure actions as another user are always logged"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_2
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.2
|
|
- NIST800-53R5_AU-3
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.3 | PATCH | Ensure events that modify the sudo log file are collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_3
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.3
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.4 | PATCH | Ensure events that modify date and time information are collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_4
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.4
|
|
- NIST800-53R5_AU-3
|
|
- NIST800-53R5_CM-6
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.5 | PATCH | Ensure events that modify the system's network environment are collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_5
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.5
|
|
- NIST800-53R5_AU-3
|
|
- NIST800-53R5_CM-6
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_6
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.6
|
|
- NIST800-53R5_AU-3
|
|
block:
|
|
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
|
|
ansible.builtin.shell: for i in $(df | grep '^/dev' | awk '{ print $NF }'); do find $i -xdev -type f -perm /6000 2>/dev/null; done
|
|
changed_when: false
|
|
failed_when: false
|
|
check_mode: false
|
|
register: discovered_priv_procs
|
|
|
|
- name: "6.3.3.6 | PATCH | Ensure use of privileged commands is collected"
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
notify: update auditd
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.7 | PATCH | Ensure unsuccessful file access attempts are collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_7
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.7
|
|
- NIST800-53R5_AU-3
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.8 | PATCH | Ensure events that modify user/group information are collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_8
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.8
|
|
- NIST800-53R5_AU-3
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.9 | PATCH | Ensure discretionary access control permission modification events are collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_9
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.9
|
|
- NIST800-53R5_AU-3
|
|
- NIST800-53R5_CM-6
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.10 | PATCH | Ensure successful file system mounts are collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_10
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.10
|
|
- NIST800-53R5_CM-6
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.11 | PATCH | Ensure session initiation information is collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_11
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.11
|
|
- NIST800-53R5_AU-3
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.12 | PATCH | Ensure login and logout events are collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_12
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.12
|
|
- NIST800-53R5_AU-3
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.13 | PATCH | Ensure file deletion events by users are collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_13
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.13
|
|
- NIST800-53R5_AU-12
|
|
- NIST800-53R5_SC-7
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.14 | PATCH | Ensure events that modify the system's Mandatory Access Controls are collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_14
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.14
|
|
- NIST800-53R5_AU-3
|
|
- NIST800-53R5_CM-6
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.15 | PATCH | Ensure successful and unsuccessful attempts to use the chcon command are recorded"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_15
|
|
tags:
|
|
- level2-server
|
|
- level2- workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.15
|
|
- NIST800-53R5_AU-2
|
|
- NIST800-53R5_AU-12
|
|
- NIST800-53R5_SI-5
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.16 | PATCH | Ensure successful and unsuccessful attempts to use the setfacl command are recorded"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_16
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.16
|
|
- NIST800-53R5_AU-2
|
|
- NIST800-53R5_AU-12
|
|
- NIST800-53R5_SI-5
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.17 | PATCH | Ensure successful and unsuccessful attempts to use the chacl command are recorded"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_17
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.17
|
|
- NIST800-53R5_AU-2
|
|
- NIST800-53R5_AU-12
|
|
- NIST800-53R5_SI-5
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.18 | PATCH | Ensure successful and unsuccessful attempts to use the usermod command are recorded"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_18
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.18
|
|
- NIST800-53R5_AU-2
|
|
- NIST800-53R5_AU-12
|
|
- NIST800-53R5_SI-5
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.19 | PATCH | Ensure kernel module loading and unloading and modification is collected"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_19
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.19
|
|
- NIST800-53R5_AU-3
|
|
- NIST800-53R5_CM-6
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
# All changes selected are managed by the POST audit and handlers to update
|
|
- name: "6.3.3.20 | PATCH | Ensure the audit configuration is immutable"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_20
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.20
|
|
- NIST800-53R5_AC-3
|
|
- NIST800-53R5_AU-3
|
|
- NIST800-53R5_MP-2
|
|
ansible.builtin.set_fact:
|
|
update_audit_template: true
|
|
|
|
- name: "6.3.3.21 | AUDIT | Ensure the running and on disk configuration is the same"
|
|
when:
|
|
- rhel9cis_rule_6_3_3_21
|
|
tags:
|
|
- level2-server
|
|
- level2-workstation
|
|
- manual
|
|
- patch
|
|
- auditd
|
|
- rule_6.3.3.21
|
|
- NIST800-53R5_AU-3
|
|
ansible.builtin.debug:
|
|
msg:
|
|
- "Please run augenrules --load if you suspect there is a configuration that is not active"
|
|
|
|
- name: Auditd | 6.3.3.x | Auditd controls updated
|
|
when:
|
|
- update_audit_template
|
|
ansible.builtin.debug:
|
|
msg: "Auditd Controls handled in POST using template - updating /etc/auditd/rules.d/99_auditd.rules"
|
|
changed_when: false
|